Third-Party Risk Programs Should Focus on Offense, not Defense

Just 43 percent of organizations surveyed in NAVEX Global’s 2016 Ethics & Compliance Third Party Risk Management Report said they evaluated third parties before engaging with them—down from 68 percent in 2015.

In the worst case, they are just hoping to “get lucky.”

That was one of the more troubling findings in this year’s report, and a central point of my presentation on bribery and corruption with Matt Kelly, CEO of Radical Compliance, at NAVEX Global’s Ethics & Compliance Virtual Conference. Given the rise in use of third parties—driven by economic conditions, productivity, globalization, specializations and (perceived) limitations on liability—and the increasing enforcement and coordination from regulators in the US, Europe and elsewhere, stronger due diligence seems clearly called for. This is particularly true in light of recent allegations against multinational firms in developing markets, where cutting deals with local officials in many cases is still considered the norm.

It’s hard to say exactly why organizations are falling behind in this critical area. It could be that those responsible for third-party due diligence for varying types of third parties in all corners of the globe is complicated, and organizations are struggling to find a starting point. It’s also possible that they’re waiting for more regulatory guidance. In the worst case, they are just hoping to “get lucky.”

But none of these are good excuses, and waiting is not a good idea. Once an organization engages with a third party, potential liability attaches.

The good news is that there’s already some strong guidance from regulators. In 2012, the U.S. Securities and Exchange Commission and the Department of Justice released this guide to the Foreign Corrupt Practices Act. And just this fall, the International Organization for Standardization released ISO 37001, a new standard on anti-bribery management systems.

Neither set of recommendations presupposes one-size-fits-all standards. Basically, organizations should tailor a risk-based, reasonable program around the following actions:

Understand the qualifications and associations of third parties

Understand the business rationale for including third parties

Include some form of ongoing monitoring of third-party relationships

Communicate the organization’s commitment to ethical business practices

These guideposts are especially important given the change in tenor from Washington and other regulatory authorities in recent years. In the Yates Memo, regulators have said they will seek greater accountability from individuals who perpetrate wrongdoing while also seeking more resources for enforcement. But they’ve also shown willingness to reward organizations that provide greater cooperation.

None of this bodes well for organizations looking to lie low and avoid discovery. Instead, it should be a further wakeup call to be as prepared as reasonably necessary and possible.Foreign enforcement organizations around the world are also increasing their efforts. The United Kingdom Serious Fraud Office has increased sanctions, stronger enforcement is appearing in Italy, Mexico and Argentina, and France’s Sapin II anti-corruption law arrived this fall. All of this comes with heightened coordination among regulators, and the U.S. DOJ and SEC Division of Enforcement’s work to expand “its efforts to obtain evidence of potential wrongdoing from around the globe.”

Automation appears to be a clear way to improve all aspects of compliance when it comes to identifying and preventing bribery and corruption conducted on behalf of an organization by its third parties. Our recent third-party survey report found that respondents who used an automated system rated their programs higher in areas ranging from compliance with laws and regulations to screening and monitoring of third parties to documenting processes and protocols.

That’s not to say the human element isn’t still valuable, as automation can have its limits. When automating your third-party programs, you should map out the risk management process, determine the scope of the work your organization does with third parties and determine what can and can’t be automated and where hands-on review and decision making by individuals is best utilized.

Big picture, organizations should review existing laws and guidance, set clear policies on anti-bribery and corruption, put them in writing and communicate them with their own employees and the employees of third parties.

Never forget that compliance programs should first be seen as a benefit to an organization. The approach to program design and management should not be only about avoiding regulatory enforcement or reducing fines when an organization is indicted by regulators but it should also focus on the clear business reasons for managing third party risk.

About the Blog

The top minds in ethics & compliance

Ethics & Compliance Matters™, the official blog of NAVEX Global. Leverage the news, insights and best practices you find here to stay ahead of GRC trends, and take your compliance program to the next level.